[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IP forwarding?



On Wednesday 30 March 2005 17:07, Jason Lim wrote:
> ----- Original Message -----
> From: "Alexandros Papadopoulos" <apapadop@alumni.cmu.edu>
<snip>
> > On Wednesday 30 March 2005 10:28, Jason Lim wrote:
> > <snip>
> >
> > > I basically have 2 networks, each with 32 IPs.
> > >
> > > Say the first network is 1.2.3.1-32
> > > and the second network is 5.6.7.1-32
> > >
> > > Is there a way to make it so requests for 1.2.3.1 go to 5.6.7.1,
> > > and 1.2.3.2 go to 5.6.7.2, so basically map 1.2.3.1-32 to go to
> > > 5.6.7.1-32?
> >
> > So you need the following:
> >
> > * The gateway that will receive packets destined to 1.2.3.0/32 to
> > have a route to the 5.6.7.0/32 network.
> > * The gateway running iptables rules that will forward any request
> > to 1.2.3.[1-32] to 5.6.7.[1-32] and of course fiddle with the
> > source address of reply packets to make it work.
> >
> > The former is pretty simple, route add blah blah. The latter can be
> > done with iptables as described here:
>
> http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutori
>al/iptables-tutorial.html#DNATTARGET
>
> > I'm not sure if you can use DNAT rules for subnets, or you need to
> > do it on a host-by-host basis. Worst case scenario, you'd end up
> > with 32 rules.
> >
> > Are you sure you can't get around this with updated DNS records?
> >
> > -A
>
> Thanks Alexandros!
>
> I cannot do this with DNS records because some of the visitors use
> hardcoded IPs rather than domains or hostnames (yes, bad design, but
> too late to change it now).
>
> The question i have tho... for the servers at 5.6.7.[1-32], if a
> client computer visits the corresponding IP at 1.2.3.[1-32], it would
> show only 5.6.7.[1-32] and not the actual client computer/website
> visitor, right?

I'm not sure what you mean here. Are you worried that e.g. a web server 
in your 5.6.7.x subnet will not record the real IP of the visitor in 
its logs, and instead record 1.2.3.x addresses as the originating IPs?

DNAT will not do that, I think. It should preserve the original (client) 
IP in the packet that gets forwarded to the 5.6.7.x network. Not sure 
though - let us know when you try it out.

-A



Reply to: